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SYSTEM AND METHOD FOR HANDLING FLOWS IN A NETWORK 


Claim to Priority 

This application claims the benefit of United States Provisional Application No. 
60/149,174, filed on August 17, 1999. 

Field of the Invention 

The field of the invention is handling flows in a network, and in particular handling 
packets that relate to the same conversation as a part of a flow. 

Brief Description of the Drawings 

Figure 1 shows a switch that handles a flow between two hosts in accordance with an 
embodiment of the present invention. 

Figure 2 shows a flow that passes through one Ethernet switch between two hosts in 
accordance with an embodiment of the present invention. 

Figure 3 shows flows between two switches and two hosts in accordance with an 
embodiment of the present invention. 

Figure 4 shows multicast flows in accordance with an embodiment of the present 
invention. 

Summary of the Invention 

A flow in a network is identified and handled by using a virtual host address. A packet is 
received at a switch with a first virtual host address as its destination address. If the packet is the 
first packet of a flow received by the switch, then a second virtual host address is determined by 
the switch. The first virtual host address is stored in a packet forwarding table correlated with the 
second virtual host address. A subsequently received packet of the same flow has the same first 
virtual host address as its destination address, and is forwarded to the second virtual host address 
in accordance with the packet forwarding table. 

Detailed Description 

The wide area network is evolving to one that integrates virtual circuit switching (label 


swapping) for flows with conventional datagram forwarding. A first step along that road was 
described by Ipsilon by Newman, P et al, in IP Switching - ATM Under IP. IEEE Trans, on 
Networking, Vol .6, No.2, April 1998, which: 

a) uses a classification algorithm to detect flows among the influx of IP packets; 

b) uses IP datagram forwarding to determine where to send the packet; 

c) creates a virtual circuit connection through the switch to the same place that the IP 
packet is being sent; 

d) transmits the VCI of that connection to the upstream switch with an indication 
that subsequent packets should be encapsulated with that VCI; and 

e) arranges that incoming packets encapsulated with that VCI are switched not 
routed. 

We have modified this concept to provide flow switching on local area networks (LANs) 
that use Ethernet. Figure 1 illustrates a switch that handles a flow between two hosts, H and K. 
Usually, Ethernet addresses are of hosts rather than endpoints of flows. Our design uses 
Ethernet addresses to also identify flows on the LAN. It is exactly as if the switch contains one 
virtual host for every flow. The Ethernet address of that virtual host, referred to here as V, is 
temporarily assigned from a block of locally administered Ethernet addresses. Packets of a flow 
from host H to host K pass through the virtual host V. The source and destination addresses in 
packets leaving H are H and V respectively. Packets traveling from V to K have source and 
destination addresses equal to V and K. The switch performs Ethernet address swapping as 
follows: 

a) the destination address of an incoming packet is moved into the source address 
field; and 

b) a new destination address is obtained from a "VC forwarding table" held within 
the switch. 

The technique is compatible with existing applications of Ethernet because in effect all 
we have done is to add extra (virtual) hosts to the network. 


EBS6/1522a333144!vl 


2 


Whereas the Ipsilon technique used a classification algorithm to detect flows among IP 
packets, we have experimented with the idea that the host application should make that decision. 
We have added a single byte, vc_flag, in the general socket structure of our hosts to say that the 
application wants special service for the flow of packets passing through the socket. The 
presence of that flag tells the socket software to use a virtual host Ethernet address instead of the 
destination Ethernet address implied by the IP header. 

The switch does traditional Ethernet packet forwarding on all packets except those that 
are addressed to a virtual host. Packets addressed to a virtual host are switched using data in a 
VC forwarding table. The first packet for a new flow causes am entry to be made in the VC 
forwarding table based upon the IP destination contained in the packet. 

By this means we have created in the local area a sufficient means to provide quality 
communication service on a per-flow basis. When the technique is matched to flow switching in 
a wide area network the user has full benefit of end-to-end flow switching, from a socket in one 
host to a socket in another. This has been achieved with minimal impact on host software, no 
interference with existing applications, and complete compatibility with existing Ethernets. 

Ethernet RFC 894 packet format 


DESTINATION ADDRESS 
SOURCE ADDRESS 
TYPE 
PAYLOAD 


PAD 
FRAME CHECK 
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The Ethernet frame format illustrated above consists of a destination address, source 
address and protocol type indicator followed by the payload and a frame check. In the following 
diagrams which describe how Ethernet addresses are manipulated during switching, we are only 
interested in the destination and source addresses. So Ethernet packets will be represented thus: 

5 








DESTINATION 

SOURCE 


IP: : 5lt§ 




Certain Ethernet addresses are used to identify flows. This is done in such a way that 
network software in the host computers connected to the network work under the impression that 

10 the Ethernet, as always, is a device for sending datagrams (individual packets) from one 

computer to another. An Ethernet switch that supports flows behaves as if it contains within it 

«! one virtual host for every flow. 


Ly Figure 2 illustrates a flow that passes through one Ethernet switch between hosts H and 

3 5 K. The flow is represented in that switch by virtual host V. Host H is connected by an Ethernet 
! ~ to port PI of switch S, and P2 is connected by Ethernet to host K. Within the switch, incoming 

packets with destination address V are routed according to the table shown in the lower block. 
m Packets arriving with host address H are rejected if they did not come from port PL Likewise, 
n packets from K are rejected if they did not come from port P2. 
ClO 

The packet forwarding process first copies the destination address (V) of the incoming 
packet into the source address of the outgoing packet and then it copies the new destination 
address from the table. Host K is the destination for packets coming from H, and host H is the 
destination for packets coming from K. 

25 

The same procedure applies when switches are connected in tandem. Figure 3 illustrates 
the case when there are two switches between hosts H and K. 

As is usual with Ethernet switches, the IP addresses and Ethernet addresses of hosts 
30 attached to a particular port are discovered by scanning packet source addresses or by using ARP. 
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The packet forwarding table used by each virtual host is constructed by examining the header of 
the first IP packet in a flow. 

Of course, virtual hosts do not really exist, even as processes within a switch. It is just 
5 that the actions of a switch as seen from outside are exactly as described by the model. Internally 
the switch uses a combination of technologies found today in IP routers and virtual circuit 
switches. It is a table-driven process that stores packets in queues, processes their headers and 
transfers them to the appropriate output ports with appropriate attention to the quality of service 
appropriate to each traffic class. 

10 

The same technique can be used for point to multipoint flows, as shown in Figure 4. In 
_ this example, host H is the root of a multicast tree that transmits packets to the two hosts K and 

iQ L. The forwarding table now has three rows, one for each host in the multicast, and a third 

\d column indicates which host is the "root" of the multicast tree. Packets coming from H are 

5 copied to each of the hosts given in the other rows of the table. Packets addressed to V from K 
|*y and L may either be rejected or propagated upstream depending upon the permission stated in 

the"perm" column. Note that if K and L do transmit packets upstream, H must examine the IP 
=5 header to determine the source of each packet. 

l;20 An example of a virtual circuit signaling connection set-up protocol follows. A protocol 

for setting up a connection between two hosts A and B takes place in three stages. First A 
requests that the connection be made, then B accepts the request and causes a virtual circuit to be 
created, and finally A confirms that indeed there is a connection. 

25 The connection request is sent as an ordinary IP datagram from A to B. The accept 

message is sent as a signal, which is a message from A to B that is flagged for special attention in 
each of the network nodes along the way. As this signal progresses through the network a (full 
duplex) virtual circuit is created between A and B. Finally, the confirmation message from A is 
transmitted over the new virtual circuit. 

30 


A socket number is an identifier chosen by a host to represent one end of a connection. 
Socket numbers for successive conversations should be different one from another so that a long 
time will elapse between repeated use of any one socket number. This allows any messages 
involved in a connection set-up to be retransmitted without ambiguity. For IPv4 the socket 
5 number is synonymous with port number as used by TCP or UDP. In other words, as is well 
known in art, a port number is associated with a socket number, and this association of a port 
number to a socket can change over time. See, for example, W.R.Stevens "Unix Network 
Programming", Prentice Hall Software Series, April 1990, Chapter 6, "Berkeley Sockets", pages, 
258-304. 

10 

The connection, accept and confirm message are coincident with the IP packets which 
^ normally start a TCP virtual circuit connection on the Internet. A TCP session begins with the 
\3 following 3-way handshake: Client host A chooses a port number and sends a SYN message to 
Uj server host B. B chooses a port number, and sends a SYN message to A. A can then use the 

5 connection, and sends an ACK message to B. B then understands that it can also use the 
^ connection. 

S Implementation of the TCP virtual circuit as a switched flow at layer 2 takes place 

^ concurrently with step two of this handshake. No extra packets need be transmitted. 

do 

The embodiments described above advantageously protect the confidentiality, integrity 
and authenticity of a conversation represented by a flow. As used herein, protecting 
"confidentiality" means preventing unauthorized access to the contents of the flow. Protecting 
"integrity" means preventing the unauthorized manipulation or alteration of the flow. Protecting 

25 "authenticity" means providing some assurance that the purported source of a packet is the actual 
source of the packet. As shown in Figure 2, the VC fowarding table stores a list of allowed hosts 
(real and virtual) from which packets may come, and to which packets may be sent. Also, switch 
S stores the port number through which switch S communicates with each host. When a packet 
from H arrives at switch S through port P, switch S searches the VC forwarding table for a record 

30 that correlates the source address of the packet with the port number through which the packet 
has arrived. If such a record is not found in the VC forwarding table, then the packet is rejected. 
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In other words, if a packet arrives through the wrong port or from an unknown source, then the 
authenticity and/or integrity of the packet is suspect, and the packet is rejected. This should be 
implemented for both virtual and real host addresses in all of the switches handling a flow to 
maximize security. 

5 

The above description is meant to illustrate, and not limit, the scope of the present 
invention. For example, although Ethernet and Internet protocols were discussed in illustrating 
various embodiments, any suitable protocols can be used in accordance with the present 
invention. Other embodiments of the present invention will be understood and appreciated by 
0 those skilled in the art from the present disclosure. 
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What is claimed is: 


1 1 . A method for identifying a flow, including: 

2 receiving a request from a host for a flow identifier; 

3 sending a flow identifier to the host; and 

4 receiving a packet with the flow identifier as the address. 

1 2. The method of claim 1, wherein the address is a source address. 

1 3. The method of claim 1 , wherein the address is a destination address. 

1 4. The method of claim 1, wherein the flow identifier is an address of a virtual host. 

1 5. The method of claim 1, wherein the destination address of the packet is the address of a 

2 virtual host. 

1 6. The method of claim 1, wherein the source address of the packet is the address of a 

2 virtual host. 

1 7. The method of claim 1 , wherein the packet has an Ethernet packet header and an Ethernet 

2 payload, wherein the Ethernet header has an Ethernet source address and an Ethernet 

3 destination address, and wherein the flow identifier is a the Ethernet source address. 

1 8. The method of claim 1 , wherein the packet has an Ethernet packet header and an Ethernet 

2 payload, wherein the Ethernet header has an Ethernet source address and an Ethernet 

3 destination address, and wherein the Ethernet source address is the address of a real host. 

1 9. The method of claim 1 , wherein the packet has an Ethernet packet header and an Ethernet 

2 payload, wherein the Ethernet header has an Ethernet source address and an Ethernet 

3 destination address, and wherein the Ethernet source address is the address of a virtual 

4 host. 
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1 10. The method of claim 1 , wherein the packet has an Ethernet packet header and an Ethernet 

2 payload, wherein the Ethernet header has an Ethernet source address and an Ethernet 

3 destination address, and wherein the Ethernet destination address is the address of a real 

4 host. 

1 11. The method of claim 1 , wherein the packet has an Ethernet packet header and an Ethernet 

2 payload, wherein the Ethernet header has an Ethernet source address and an Ethernet 

3 destination address, and wherein the Ethernet destination address is the address of a 

4 virtual host. 

^ 1 12. The method of claim 1, wherein the packet has an Ethernet packet header and an Ethernet 
5 «G2 payload, wherein the Ethernet header has an Ethernet source address and an Ethernet 

! s gj 3 destination address, and wherein the flow identifier is a the Ethernet source address. 

^ 1 13. The method of claim 1, wherein the packet has an Ethernet packet header and an Ethernet 
is 2 payload, wherein the Ethernet header has an Ethernet source address and an Ethernet 

rQ 3 destination address, and wherein the Ethernet destination address is a first host address. 

□ 1 14. The method of claim 13, wherein the Ethernet payload has an Internet Protocol header 

2 and an Internet Protocol payload, wherein the Internet Protocol header has an Internet 

3 Protocol source address and an Internet Protocol destination address, and further 

4 including: 

5 determining a second host address based upon the Internet Protocol destination 

6 address in the Internet Protocol header; and 

7 storing the second host address correlated with the first host address in a packet 

8 forwarding table. 
9 

10 15. The method of claim 13, wherein the first host address is the address of a real host, and 

1 1 the second host address is a virtual host address. 


1 16. The method of claim 13, wherein the first host address is a virtual host address, and the 

2 second host address is the address of a real host. 

1 17. The method of claim 13, further including: 

2 changing the Ethernet source address of the packet to be equal to the first host 

3 address; 

4 changing the Ethernet destination address of the packet to be equal to the second 

5 host address; and 

6 sending the packet. 

1 18. The method of claim 13, wherein the Ethernet payload has an Internet Protocol header 

2 and an Internet Protocol payload, wherein the Internet Protocol header has an Internet 

3 Protocol source address and an Internet Protocol destination address, and further 

4 including: 

5 determining a second host address from a packet forwarding table; 

6 changing the Ethernet source address of the packet to the first host address; 

7 changing the Ethernet destination address of the packet to the second host address; 

8 and 

9 sending the packet. 

1 1 9. The method of claim 1 , wherein an incoming packet that has a first host address as its 

2 destination address arrives at a port having a first port identifier, and wherein a packet 

3 fowarding table correlates the first host address with a second port identifier; and further 

4 including rejecting the packet if the first port identifier is not equal to the second port 

5 identifier. 

1 20. The method of claim 1 , wherein the Ethernet payload has an Internet Protocol header and 

2 an Internet Protocol payload, wherein the Internet Protocol header has an Internet 

3 Protocol source address and an Internet Protocol destination address, and further 

4 including: 
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1 determining a plurality of forwarding host addresses from a packet forwarding 

2 table; 

3 changing the Ethernet source address of the packet to the first host address; 

4 creating a copy of the packet for each forwarding host address; 

5 changing the Ethernet destination address of each copy of the packet to a 

6 forwarding host address; and 

7 sending each copy of the packet. 

1 21. The method of claim 20, wherein a forwarding host address is the address of a real host. 

1 22. The method of claim 20, wherein a forwarding host address is a virtual host address. 

1 23. A method for handling flows, including: 

2 adding a virtual circuit flag to a packet; and 

3 setting the value of the virtual circuit flag to indicate when the packet belongs to a flow 

4 and requests that the flow recognized by the network. 

1 24. The method of claim 23, further including: 

2 determining if the virtual circuit flag indicates a flow; and 

3 if the virtual circuit flag indicates a flow, then replacing the an address of the packet with 

4 a host address. 

1 25. The method of claim 24, wherein the source address of the packet is replaced with a host 

2 address. 

1 26. The method of claim 24, wherein the destination address of the packet is replaced with a 

2 host address. 

1 27. The method of claim 24, wherein the host address is the address of a real host. 

1 28. The method of claim 24, wherein the host address is a virtual host address. 
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1 29. A method for establishing a virtual circuit for a flow, including: 

2 forwarding a connection request datagram from a first host to a second host; 

3 forwarding accept message from the second host to the first host, wherein the accept 

4 message is flagged as a virtual circuit establishment signal; 

5 establishing a full duplex virtual circuit between the first host and the second host; 

6 forwarding a confirmation message from the first host to the second host over the virtual 

7 circuit. 
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Abstract of the Invention 

A flow in a network is identified and handled by using a virtual host address. A packet is 
received at a switch with a first virtual host address as its destination address. If the packet is the 
first packet of a flow received by the switch, then a second virtual host address is determined by 
the switch. The first virtual host address is stored in a packet forwarding table correlated with the 
second virtual host address. A subsequently received packet of the same flow has the same first 
virtual host address as its destination address, and is forwarded to the second virtual host address 
in accordance with the packet forwarding table. 
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